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About this Guide 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


Overview 


Overview 


Qualys Gateway Service (QGS) is a packaged virtual appliance developed by Qualys that 
provides proxy services for Qualys Cloud Agent deployments that require proxy 
connectivity to connect agents to the Qualys Cloud Platforms. 


Qualys Gateway Service is managed using a new module user interface on the Qualys 
platform. From this interface, one can create, register, monitor, and manage QGS virtual 
appliance deployments. 


The QGS virtual appliance is separate and different from the virtual scanner appliance 
that is used for Vulnerability Management and Policy Compliance scanning. The QGS 
virtual appliance only provides proxy services for Cloud Agent deployments. 


The following features and capabilities are available in QGS virtual appliance: 


e À virtual appliance image downloaded, registered, and managed from the Qualys 
platform user interface using the QGS module 


e Support for any Cloud Agent version that supports HTTP/HTTPS proxy (all agents 
since 2016) 


e Explicit forward proxy 
e SSL/TLS pass-through bypass 


e Can be deployed in High-Availability failover using external 3rd party load 
balancers 


e Connection Security — the QGS proxy only will provide connections to the Qualys 
platform from where it is registered. It is not possible to use QGS to proxy 
connections to any other destination. 


e Shared Platform support (Private Cloud Platforms require coordination with 
Qualys Operations) 


e Enabling Allowed Domains: We have added an option which will help you to 
allow traffic for required domains. 


- Default Domains Allowed: qualys.eu, qualys.ca, qualys.com, qualys.in 
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Virtualization Server Requirements and Virtual Machine File 


Formats 

Virtual Server Supported Versions File Format 
VMware vSphere / ESXi 5.5, 6.0, 6.5, 6.7, 7.0 VMDK, OVA, OVF 
Microsoft Hyper-V 2012, 2012 R2, 2016 VHD 


Virtual Machine Configuration 


2 vCPUs 

16 GB RAM minimum 

30 GB Disk minimum (For QGS primary disk only) 

- For Patch Mode, a second disk of 250GB minimum is required 
One network adapter 

— IP address configured with a Default gateway 

- QGS Proxy listening port for Cloud Agents: 1080 (can be changed) 
— QGS Cache listening port for Cloud Agent: 8080 (can be changed) 
Available support to connect QGS to upstream proxy server, if required 
— IP/DNS name and port of upstream proxy 

— Optional username/password proxy credentials 

- Support for upstream proxy domain-based filtering 


— Thisisa method for adding the static host to IP mapping to the QGS appliance. 
Similar to an entry in the/etc/hosts file, this is a way to add a FQDN<-->IP 
mapping to the QGS service. 
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Network Configuration 


QGS requires connectivity to four (4) URLs/IPs on the Qualys Platform for full 
functionality. The appropriate network routing, firewall rules, and upstream proxy 
configurations (if used) must be configured correctly to allow QGS to connect to these 
URLs/IPs. 


Platform 


One URL/IP is for Cloud Agents to connect through QGS to the Qualys Platform 


Three URLs/IPs are for QGS to connect to Qualys Platform for management 
functions 


One URL/IP is for operating system updates as this appliance is based on Flatcar 
Linux 


Cloud Agent Qualys Gateway Service 


US 1 


qagpublic.qg1.apps.qualys.com camspublic.qg1.apps.qualys.com 
camspm.qgl.apps.qualys.com 
camsrepo.qg1.apps.qualys.com 
update.release.flatcar-linux.net 


US 2 


qagpublic.qg2.apps.qualys.com camspublic.qg2.apps.qualys.com 
camspm.qg2.apps.qualys.com 
camsrepo.qg2.apps.qualys.com 
update.release. flatcar-linux.net 


qagpublic.qg3.apps.qualys.com camspublic.qg3.apps.qualys.com 
camspm.qg3.apps.qualys.com 
camsrepo.qg3.apps.qualys.com 
update.release.flatcar-linux.net 
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qagpublic.qg4.apps.qualys.com camspublic.qg4.apps.qualys.com 
camspm.qg4.apps.qualys.com 
camsrepo.qg4.apps.qualys.com 
update.release.flatcar-linux.net 


EU 1 


qagpublic.qg1.apps.qualys.eu camspublic.qg1.apps.qualys.eu 
camspm.qg1.apps.qualys.eu 
camsrepo.qg1.apps.qualys.eu 
update.release.flatcar-linux.net 


EU 2 


qagpublic.qg2.apps.qualys.eu camspublic.qg2.apps.qualys.eu 
camspm.qg2.apps.qualys.eu 
camsrepo.qg2.apps.qualys.eu 
update.release.flatcar-linux.net 


gagpublic.qg1.apps.qualys.in camspublic.qg1.apps.qualys.in 
camspm.qg1.apps.qualys.in 
camsrepo.qg1.apps.qualys.in 
update.release.flatcar-linux.net 


CAT 


gagpublic.qg1.apps.qualys.ca camspublic.qg1.apps.qualys.ca 
camspm.qg1.apps.qualys.ca 
camsrepo.qg1.apps.qualys.ca 
update.release.flatcar-linux.net 
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Platform Cloud Agent 


Qualys Gateway Service 
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Qualys Gateway Service User Interface Module 


Qualys Gateway Service has a user interface module on the Qualys Platform. Customers 
with purchased or trial accounts see the QGS module in the module picker. 


Use the QGS UI to create, configure, monitor, disable, and delete QGS appliances deployed 
in your organization. 


Vulnerability Management {v 


INFRASTRUCTURE SECURITY (1) 


Vulnerability Management 
WLME Map and scan your network, prioritize your critical 
| 


vulnerabilities and fix them 


IT OPERATIONS (1) 


Asset Management 
QUES Asset Management, Tagging, and Search 


SENSOR MANAGEMENT (1) 


Qualys Gateway Service 
LCR Appian and cache for Cloud 
Agents 


UTILITIES 
Admininistrator 
FE manage Application Users and Permissions 


In order to deploy a QGS virtual appliance, log into the Qualys Platform, select the QGS 
module, and follow the steps below. By default, QGS is configured as a proxy server only 
when deployed. Cache Mode and Patch Cache Mode are additional explicit configuration 
options to be performed to enable this functionality. 


QGS Module UI QGS Module UI QGS Module UI QGS Module UI 


1. Create New 2: Generate 3. Download Virtual 6. See Appliance 


Personalization 


Appliance Image Status 
Code 


Appliance 


Virtualization Server Virtualization Server 


5. Set Network 
Set upstream Proxy 
Enter Code 


4. Configure VM z 
as per Specs 


1) Create a New Appliance. Give the appliance a name and enter a location, if desired. 


2) Generate a Personalization Code. Similar to the virtual scanner, you will need to enter 
this Personalization Code in the QGS virtual appliance local user interface to fully 
configure the appliance. 


3) Select Download Image and chose the appropriate file format for your environment 


4) Download/copy the virtual appliance image to your virtualization server. 


Qualys Gateway Service User Interface Module 


- Configure the Virtual Machine properties following the specified resources. 


Important: Enabling caching for Qualys Patch Management requires a second virtual hard 
drive to be added to the virtual appliance before Patch Cache Mode can be enabled as a 
feature. 100-250GB is recommended. 


5) Start the image. 
Note: Console access to the running image is required to configure the appliance. 


6) Use the console-based user interface to configure the virtual appliance for networking, 
DNS, time server, and optional upstream proxy configuration (see instructions below). 
7 
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Validate that the appliance can successfully communicate with the Qualys Platform. 


Register the Appliance with the Qualys Platform. 


The QGS Appliance supports a Diagnostic mode to help accelerate Qualys Customer 
Support troubleshooting and problem resolution, primarily for initial network setup and 
registration issues. Refer to the section below on Diagnostics Mode. 

Changing the Proxy Port 


After successful appliance deployment and registration, you can change the proxy port 
from default 1080 to any allowable port number. 


1) Use the Quick Action menu to select Configuration (hover over the appliance name in 
the appliance list until the Quick Action down-arrow menu appears) 


2) In the first configuration step (Proxy), enter the new proxy port. 


3) Click Next to the menu, then Finish to save the configuration. 


< Configuration 


STEPS 1/3 


Configure the Proxy Port 
Cloud Agents connects to Qualys Cloud Platform using proxy port while using Qualys Gateway Service 


(1) Proxy 


2 Modes 
Proxy Port 


3 TLS Protocols 1080 


Note: Valid Port values are 1 — 65535 (integers only), excluding 22, 23, 2379, 2380, 4001, 5514, 7001, 48081, 48082, 48083, 48084, 48085, 48086. 


hed 


Note: Valid Port values are 1 — 65535 (integers only), excluding 22, 23, 2379, 2380, 4001, 
5514, 7001, 48081, 48082, 48083, 48084, 48085, 48086. 


On the next appliance check-in, the appliance will download the configuration and use 
the new proxy port. 
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Cache Mode and Patch Mode Configuration 


Cache Mode is an optional feature used to optimize the download network bandwidth 
used by Cloud Agents whereby the QGS appliance caches downloaded Cloud Agent 
artifacts (installers for platform-initiated upgrades and manifest files). 


Files downloaded by the first-connecting agent will be cached on the QGS appliance to be 
served to any subsequent configured agents requesting the same content. This will save 
Internet download bandwidth from the Qualys cloud platform to the on-premise network 
as only one copy of unique files will be downloaded. For environments will large number 
of Cloud Agents deployed, this can save a significant amount of download bandwidth. 


File Type Interval Number of Bandwidth without Bandwidth with 
Agents Caching Caching 
VM Manifest Daily 1,000 2 GB 2 MB 
VM Manifest Daily 5,000 10 GB 2 MB 
VM Manifest Daily 10,000 20 GB 2 MB 
VM Manifest Daily 25,000 50 GB 2 MB 
Patch Mode extends the caching capability to cache patch files for Cloud Agents activated 


with the Qualys Patch Management application. Similar to Cache Mode where the gateway 
appliance caches the downloaded Cloud Agent artifacts, Patch Mode will cache the patch 
files downloaded by the first requesting Cloud Agent in order to serve patch files locally to 
subsequent download request. Patch Mode uses the same port and connection as Cache 
Mode. 


Note: When Patch Mode is enabled, the default Connection Security that only allows 
outbound connections from the gateway appliance to Qualys platform domains is 
disabled. Cloud Agents with Patch Management application need to download patch files 
from the software vendor's website thus the gateway appliance allows for connections to 
any Internet resource. In Patch Mode, Connection Security is configured to only allow 
client connections from Cloud Agent clients as an additional protection method. 


Cache Mode and Patch Mode are not enabled by default. Additional configuration is 
required to enable caching and patch file caching, both on the gateway appliance itself 
(using the QGS module UI) and on the host the runs the Cloud Agent. 
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Qualys Gateway Appliance Configuration 
To enable Cache Mode or Patch Cache Mode on an existing QGS appliance: 


1) For a specific appliance, use the Quick Action menu to select Configuration (hover over 
the appliance name in the appliance list until the Quick Action menu appears) 


2) Click Next through the menu until Caching Modes 
3) To enable Cache Mode, toggle the On/Off slider to On 


4) The default cache port is 8080. You may accept or change the cache port to an 
allowable port number. 


Note: Valid Port values are 1 — 65535 (integers only), excluding 22, 23, 2379, 2380, 4001, 
5514, 7001, 48081, 48082, 48083, 48084, 48085, 48086. 


5) To enable Allowed Domains, toggle the On/Off slider to On 


Allowed Domains: This option will allow traffic to required domains. You can add the 
domain names manually. 


Default Domains Allowed: qualys.eu, qualys.ca, qualys.com, qualys.in 


Note: While adding domains in the allowed domain section you should not add a prefix 
ike http(s)://www. For instance, if you want to allow traffic to Microsoft then you should 
enter only microsoft.com and not https://www.microsoft.com 


<— Configuration 


STEPS 2/3 


pl 


Configure Modes 


Proxy 
es Cache Mode Ce) 
Enable Cache Mode to cache Cloud Agent artifacts including version installers and manifests. Cache port is used when 


3 TLS Protocols Cache Mode is enabled 


Requires Cache Certificates to be installed on all Cloud Agent assets 


Cache Port 
8080 


Note: Valid Port values are 1 — 65535 (integers only), excluding 22, 23, 2379, 2380, 4001, 5514, 7001, 48081, 48082, 48083, 48084, 48085, 48086. 


Allowed Domains oo 


Enable to allow the traffic to required domains 


Default Domains Allowed: qualys.eu, qualys.ca, qualys.com, qualys.in 


Enter domain without ‘www: prefix. You can add maximum 10 domains 


& 


hetzner.de i 


Pm | Patch Mode eo 
Enable Patch Mode to cache patch files when using Patch Management app for Cloud Agent. Patch Mode uses the Cache 
Mode port configuration. 


Note: A second disk with required minimum free disk space must be attached to the virtual appliance first. Patch Mode can not enabled if the 
disk is not attached 
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6) To enable Patch Mode, toggle the On/Off slider to On 


Note: A second disk with required minimum free disk space must be attached to the 
virtual appliance first. Patch Mode can not enabled if the disk is not attached. 


7) Click Next through the menu until TLS Protocols 


8) Select the Minimum TLS Protocol Version allowed for agent connections. To support 
older operating systems that only support TLS, select TLS 1.0 as the minimum protocol 
version. (Default setting is TLS 1.2 and higher.) 


< Configuration 


STEPS 3/3 
TLS Protocols 


Allow Cloud Agent connection to the gateway on enabled protocols. (Connections from the gateway to Qualys platform always only use the 
à Foy, highest TLS protocol available and is not configurable.) 


Modes 


TLS Protocols Minimum TLS Protocol Version 


TLS 1.0 


Cancel | Previous | Finish 


Note: To enable this mode, a second virtual disk drive of at least 10 GB (100-250 GB 
recommended) must be added to the virtual appliance prior to enabling Patch Mode. 
Cloud Agent Configuration 


Refer to the Cloud Agent Install Guide to know more about each supported operating 
system for the appropriate proxy configuration and certificate installation instructions. 


Configure Cloud Agents to use the IP or DNS name of the QGS as the agent’s proxy is 
similar to any other proxy server configuration. 


Cloud Agent Windows 3.1 supports multiple proxy servers (semi-colon separated) and 
uses them for connection in the order defined. If the agent can't connect to the proxy 
server, the agent will try to connect to the next one in the defined list. 


Cloud Agent Linux, AIX, and Mac add this feature in the upcoming version 2.5 release. 


Cloud Agent Cache Mode and Patch Mode Configuration 


Cloud Agents deployed in Cache and Patch Mode require the public certificate of each QGS 
appliance installed on the host that runs the Cloud Agent. 


There are two certificate deployment options available in the QGS User Interface: 
1) Certificate File in PEM file format for any operating system 


— Use any supported software distribution tool to deploy the certificate PEM to the 
host certificate store 


2) MSI Certificate File installer for Windows operating systems 
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- Use any supported software distribution tool (SCCM, GPO, BigFix, etc.) to deploy 
the certificate by installing the Win.MSI file 


— Install the certificate manually on a single host 


C:\>msiexec -I <location to file WIN.msi 


Qualys Gateway Service Module User Interface 


Appliances 


5 9 15MB 


Active Agents (24 Hours) Total Agents (7 Days) Bandwidth Savings (30 Days) 


Q 5 1 Appliances 


New Appliance | Download Image | Download Common CA 1-50 of 51 


STATUS APPLIANCE DEPLOY LOCATION UNIQUE IPS ACTIVE AGENTS PROXY PORT CACHE PORT TLSPROTOCOL CLIENT HEALTH 


Active AWS_p13_sjc01_27_Se... - 0 0 1080 8089 12,13 Normal 
Oct 29, 2021 Cache: Enabled 


Active BEMlpatch_sjc01_test_ven03 Pune 1 1 1080 8080 1.0,11,12,13 Normal 
Oct 29,2021 Cache: Enabled | Patch: Ena... 


The Activity Summary widgets provide aggregate activity information for all QGS 
appliances in the subscription. Active Agents and Total Agents count the number unique 
agent IPs connecting through all appliances. Bandwidth Savings is calculated in cache 
mode. 


- Status: This column shows the current status of your appliance. Appliances with 
common CA certificate enabled will be shown an icon (Highlighted) on the appliance list 


page. 


- Unique IPs: This column shows the count of unique IPs which were communicated 
through QGS appliance from last 60 minutes. 


- Active Agents: This column shows the number of active agents communicated via QGS 
from last 24 hours when QGS and Cloud Agent are configured to be used in Cache mode. 


In Proxy mode, you'll see only unique IPs count on QGSUI, while in Cache mode you'll see 
count of active agent and unique IPs on QGSUI. 
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Create New Appliance / Generate Personalization Code / Use Common Certificate 


<— New Appliance 


Create Appliance 
Deployment Location 


| Deployment Location (M 


Registration 


Personalization Code 
Generate the personalization code and keep it handy to register the appliance once you dowload the image. 


] 
Generate Code Copy | 


Advanced Settings 


Use a common certificate while registering the appliance. We recommend using the common certificate for all appliances. 


Cancel Save 


The appliance can be created with a Common CA certificate enabled. It can help you to 
deploy a single certificate across all the cloud agents meant for the particular appliance. 


If you want to use a common certificate while registering the appliance, then click Use 
Common Certificate checkbox. 


Note: We recommend to use the Common CA certificate for all the appliances. 


View List of Appliances and their Status 


Appliances 


Active Agents (24 Hours) Total Agents (7 Days) Bandwidth Savings (30 Days) 
Q search e 51 Appliances 
| Download image | [Download Common CA | 1-500f51 “D 
STATUS APPLIANGE DEPLOY LOCATION UNIQUE IPS ACTIVE AGENTS PROXY PORT CACHE PORT TLS PROTOGOL CLIENT HEALTH 
Active AWS_p13_sjc01__27_Se... - o O 1080 8089 12 Normal i 
Oct 29, 2021 Cache: Enabled 
Active BEMpatch_sjc01 _test_ven03 Pune 1 1 1080 8080 1.0, 1.1, 1.2,1.3 Normal 
Oct 29, 2021 Cache: Enabled | Patch: Ena... 


A single Subscription certificate will be available instead of appliance specific certificate 
on the appliance list if appliances are registered with the common CA certificate option. 


Appliances with common CA certificate enabled will be shown an icon (Highlighted) on 
the appliance list page. 
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Qualys Gateway Service Module User Interface 


Download Image of the Virtual Appliance 


Virtualization platform Image 


Download the required image from the list of platforms we support. 


IMAGE NAME FILE SIZE 


qualys-qgs-appliance-1.0.0-6.ova 1.02GB + 
qualys-qgs-appliance-1.0.0-6.ovf.zip 1.01GB + 
qualys-qgs-appliance-1.0.0-6.vmx.zip 1.01GB + 
qualys-qgs-appliance-1.0.0-6.vhd.zip 1.01GB + 


Download Common CA 


You can download the common CA certificate from the appliance details page or the 
appliance list page. 


Note: To download the common CA Certificate, you must create and register a new 
appliance with the common CA certificate option enabled. After registering the appliance 
with a common CA certificate, it takes about 15 to 20 minutes to generate the common CA 
certificate. 


Download Common CA 


Download and install the required certificates for Cache Mode for all applicable hosts running 
Cloud Agents. 


Hm Certificate Installer on Windows 
s Download 
CR WIN.msi pee 


File on Any Operating System 
Appliance-Certificate.pem 


Cancel 


After Successful Setup and Registration, the Appliance has Active Status 


Appliances 


Active Agents (24 Hours) Total Agents (7 Days) Bandwidth Savings (30 Days) 
Q Search... @ 51 Appliances 
| Download Image | | Download Common CA 1-50 of 51 >| 
STATUS APPLIANCE DEPLOY LOCATION UNIQUE IPS ACTIVE AGENTS PROXY PORT CACHE PORT TLS PROTOCOL CLIENT HEALTH 
Active AWS_p13_sjc01__27_Se... - 0 0 1080 8089 1213 Normal i 
Oct 29, 2021 Cache: Enabled 
Active MEMpatch_sjc01_test_ven03 Pune 1 1 1080 8080 1.0, 1.1,1.2,1.3 Normal 
Oct 29, 2021 Cache: Enabled | Patch: Ena... 
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View Details, Stats, and Logs of an Active Appliance 


<€ View Details 


View Made Pune s Personalization Code 


panii 77186006-36900-4bt3-a710-11022bfb1490 


Identification 


Configuration 


A Allowed Domains 


Default Domains Allowed: qualys eu qualys ca, gualys com, qualys i 


Activity 
cleudfront.net 


The Performance graph shows connection counts by unique agent IP addresses over the 
time period selected. 


Allowed Domains: This option displays your allowed domain's information. 


Virtual Appliance Local Configuration 


The Qualys Gateway Service virtual appliance utilizes a text-based user interface available 
from the appliance console to configure, set networking, view status, perform diagnostics, 
and reset the appliance. 


Local Configuration Menu Structure 


te 


* 


Registration 
System 
> Network 
= First 
= DNS 
= Proxy 
> Time 
Info 
Diagnostics 
Containers 
Images 
Units 
Logs 
Stats 
Commands 
Ping 
Reboot 
Shutdown 
Reset 


+. 
+ 


+, 
s 


fo 


Ko 


VVVVV 


+, 
* 


VV VV 
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Configuration Screens 


Configuration Screens 


Next we’ll document the screens used to configure & manage the Qualys Gateway Service. 


QGS virtual appliance starting up 


.4587321 SELinux: Class iucv socket not defined in policy. 
.458784]1 SELinux: Class rxrpc socket not defined in policy. 
.4588271 SELinux: Class isdn socket not defined in policy. 
.4588731 SELinux: Class phonet socket not defined in policy. 


.458921] SELinux: Class ieee8@2154 socket not defined in policy. 


.458971] SELinux: Class caif socket not defined in policy. 
.4598191 SELinux: Class alg socket not defined in policy. 
.459865] SELinux: Class nfc_socket not defined in policy. 
. 4592951] SELinux: Class vsock socket not defined in policy. 
. 4593441 SELinux: Class kcm socket not defined in policy. 


.4593911 SELinux: Class qipcrtr socket not defined in policy. 


.4594481 SELinux: Class smc socket not defined in policy. 


.4594861 SELinux: Class infiniband_pkey not defined in policy. 
. 4595361 SELinux: Class infiniband_endport not defined in policy. 
.4595861 SELinux: the above unknown classes and permissions will be allowe 


-459655] SELinux: policy capability network_peer_controls=1 
-459715] SELinux: policy capability open perms=1 

-459757] SELinux: policy capability extended socket class=8 
-459864] SELinux: policy capability always check network=8 
-459851] SELinux: policy capability cgroup_seclabel=8@ 
-459896] SELinux: policy capability nnp_nosuid_transit ion=@ 


. 4868791 systemd[1]: Successfully loaded SELinux policy in 94.115ms. 


.528438] systemd[1]: Relabelled /dev, “run and /sys/fs/cgroup 


Main Configuration Menu 
Under System menu, configure Network Settings 


<Ti> ENTER 


Configuration 
Register the Appliance with Qualys 
General Information 


Information 
Various commands 
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Qualys Gateway Service User Interface Module 
Configuration Screens 


Network Configuration 


System Configuration 


etwork Settings 


Time System Time Settings 
Qualys status URL Edit Qualys Status URL 


< Back > 


First ethernet interface 


Configuration 


etwork Interface Settings (ethO ) 


DNS Settings 
Proxy Server 


< Back > 
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Configuration Screens 


DHCP 
If using DHCP, configure the virtual appliance network interface to use DHCP. 


This is the IP of the QGS proxy that Cloud Agents will connect running on port 1080. 


Network interface configuration 


© mo 


c ) Static 
C ) Unconf igured 


<Cancel> 


Static 
If using Static IP, configure the virtual appliance network interface to use Static IP Address. 


Cloud Agents connect to the Static IP Address on port 1080. 


<Cancel> 


Set static IP address, if used. 
IP address uses a 32-bit netmask, e.g. “/24” for 255.255.255.0 
Specify the Default Gateway IP address. 
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Qualys Gateway Service User Interface Module 
Configuration Screens 


IP (CDR): SN DU 


Gateway: DEN 


< Back > 


DNS Servers 
Set DNS servers for the virtual appliance to resolve the Qualys URLs. 


DNS Servers: 


DNS: 


DNS: 4444 =] 


Search domain: 


< Back > 


Qualys Gateway Service User Interface Module 
Configuration Screens 


Proxy Servers 
Configure upstream Proxy Server, if using proxy chaining. 


Proxy Settings: 
Proxy Port: CEE DE 


Username : 


Proxy URL: 


Password: 


æ=Æ=—— | 
[ESS 
DNS Host: D 
SSS Saas 


DNS IP: 


Info 


Configuration 


Registration Register the Appliance with Qualys 
System System Settings 

Diagnostics Information 

Commands Various commands 


Qualys Gateway Service User Interface Module 
Configuration Screens 


QAG Status: Connected 
QAG Status: Connected shows that QGS can connect to the Qualys POD. 


If the status is not Connected, verify network connectivity and firewall settings. 


Note: As of QGS v2.1.0 release, the appliance TUI will display the service version on the 
Info tab, as shown in the following screenshot. 


ethø g 

QAG Status : Connected 

QAG Status URL : https://qagpublic.p13.eng.sjc81.qualys.com/status 
DNS Servers : 

System Time 

System Timezone : UTC 

Appliance ID 


Appliance Name : NM_CAMSD@2_19May22 

Qualys URL : https://camspublic. p13.eng.sjc@1.qualys.com 
System Updates : Up to date 

Build-version : 1.1:9=-312 

Service Version : QGS-1.4.@-1 


Registration 


Configuration 


Register the Appliance with Qualys 


System System Settings 
Info General Information 
Diagnostics Information 
Commands Various commands 
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Qualys Gateway Service User Interface Module 
Configuration Screens 


Enter the Personalization Code generated in the QGS User Interface module. 


Enter lookup code in *xlowercasex 


[cHance_me 


< Back > 


Here's an example of a redacted Personalization Code. 


Enter lookup code in *lowercase* 


8123a17a- -46dc- -669 ~ Bdb 


< Back > 


Registration in process 


Please wait while appliance registration is being 
verified. This may take few minutes. 


WARNING: Do not interact with the appliance during this 
time. 
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Qualys Gateway Service User Interface Module 
Configuration Screens 


Successful Registration 


Appliance is registered successfully 


Diagnostics 


Diagnostics 


ontainers Docker containers 


Images Docker images 
Units Services units 
Logs Logs 

Stats Container Stats 
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Qualys Gateway Service User Interface Module 
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Containers 


NAMES STATUS COMMAND 

HAPROXY Up 17 minutes “ventrypoint.sh” 
CONFD-HAPROXY Up 17 minutes “susr/local/bin/confd -wat 
cams-logstash Up 17 minutes “susr/share/ logstash/bin/1 


squid-2 Up 17 minutes "/docker-entrypoint.sh" 
CAMSD Up 17 minutes “ssbinzinit” 
VER) 63% 


Images 


REPOSITORY IMAGE ID 

cams-haproxy aie a397bd13a1 
cams local :443/cams-haproxy le a397bd13a1 
cams local :443/cams-keepa l ived Fp 8cd941c6d3 
cams-keepa lived alg 8cd941c6d3 


cams local :443/cams-squid sde 9042e180e2 
Aer a 35% 
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Qualys Gateway Service User Interface Module 
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Units 


ams-logstash 


cams-rsyslog- journal-cat active 
cams-rsyslog active 
CAMSD active 
HAPROXY-re load failed 
HAPROXY-watch active 
HAPROXY active 


internal-proxy active 
qualys-appliance-init inactive 
squid-1 active 
squid-2 active 


< Back > 


Logs 
View log file of the virtual appliance. (Logs are also uploaded to the QGS UI Module.) 


Logs are sorted with most recent descending. 


Navigation and search commands are defined in the UI. 


: search forward : search backward 
2018-09-12T16:48:45.404202+00:00 cams-rsyslog rsyslogd: [origin softwar 
2018-09-12T17:00:00.276990+00:00 cams-rsyslog crond[7]: USER root pid 
2018-09-12T17:00:00.277890+00:00 cams-rsyslog crond[7]: USER root pid 
2018-09-12T16:48:45+00: localhost sh[12981: chown -R logstash: logst 
2018-09-12T16:48:45+00: localhost sh[12981: touch /var/log/logstash 
2018-09-12T16 : 48 :45+00: localhost sh[12981: chown logstash: logstash 
2018-09-12T16 : 48 :45+00: localhost sh[12981: chown -R logstash:logst 
2018-09-12T16 : 48 : 45 +00: localhost sh[12981: [L -z ”” 11 
2018-09-12T16 : 48 :45 +00: localhost sh[12981: + exec /usr/share/logstas 
2018-09-12T16 : 48 : 46 +00: localhost docker[1153]: 2018-09-12 16:48 :46,2 
2018-09-12T16 : 48 : 46 +00: localhost docker[1153]: 2018-09-12 16:48 :46,2 
2018-09-12T16 : 48 : 46 +00: localhost systemd-networkd[6461: veth8702b33: 
2018-09-12T16 : 48 : 48+00: localhost sh[20651: HAPROXY 
2018-09-12T16 : 48 :48+00: localhost systemd-udevd [2124]: link _ config: a 
2018-09-12T16 : 48 :48+00: localhost kernel: docker0: port 6(veth39cee94 
2018-09-12T16 : 48 :48+00: localhost kernel: docker0: port 6(veth39cee94 

Dion) 9% 


Don't worry to delete or archive logs! The QGS appliance will automatically clean up its 
logs and disk space as it reaches capacity. 


Proxy 
Executes a network connection test through a configured upstream proxy. 
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Qualys Gateway Service User Interface Module 
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Stats 
View utilization of the virtual appliance services. 


CONTAINER ID 
960eb4df 3552 
1e480d9ab0f 3 
f5459536ba9a 
ffe47a1b904e 


f18fac5251ac 


NAME 

HAPROXY 
CONFD-HAPROXY 
cams-logstash 
squid-2 

CAMSD 


MEM USAGE / 
2.285MiB 
1.656MiB 
501.1MiB 
160.4MiB 
7.055MiB 


SY) 66% 


Commands 


Configuration 


Registration Register the Appliance with Qualys 
System System Settings 

Info General Information 

Diagnostics Information 


ommands arious commands 


Ping 
Ping is required to perform the connectivity checks. So, make sure that ping is enabled for 
IPs/URLs mentioned in Network Configuration section. 
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Qualys Gateway Service User Interface Module 


Conf iguration 


Perform IPv4 Ping 


Reboot Reboot 
Shutdown Shutdown 
Reset Reset 


FQDN or IPu4 


Reset appliance 
Reset appliance to its original unconfigured state. 


Warning: All configurations and log files will be deleted. 


Reset appliance? 


Warning : this action will reset appliance to its 
original state. 


Do you want to continue ? 


Configuration Screens 


Qualys Gateway Service User Interface Module 
Configuration Screens 


Reset network interface 
Reset network interface of virtual appliance. 


Note: This only resets the network configuration of the appliance. 


Reset network configuration? 


Do you want to also reset network interfaces? 


Doing so can prevent access to this machine 7 


Diagnostics Mode 


The QGS Appliance supports a Diagnostic mode to help accelerate Qualys Customer 
Support troubleshooting and problem resolution, primarily for initial network setup and 
registration issues. The Diagnostic mode is a user-initiated command that creates an 
encrypted report archive for the customer to collect and submit to Qualys Customer 
Support. The Diagnostics command creates a one-time generated password to download 
the encrypted report archive from the QGS appliance using SFTP. 


1) On the local console-based user interface, select the Diagnostics menu 


Configuration 


Registration Register the Appliance with Qualys 
System System Settings 
Info General Information 


iagnostics Information 


Commands Various commands 


Qualys Gateway Service User Interface Module 
Configuration Screens 


2) Executing the Diagnostics mode will trigger the appliance to create the encrypted report 
archive and generate a one-time random password to access the appliance to copy the 
diagnostics archive. 


3) Connect to the appliance using SFTP using the diagnostics username and one-time 
random password. 


4) Download the encrypted report archive from the appliance to a system of your 
choosing. 


5) Upload/attach the encrypted report archive to a Qualys customer support case. 
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